Improper input validation in Linux kernel - CVE-2026-46309
Published: June 10, 2026
Vulnerability identifier: #VU134193
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-46309
CWE-ID: CWE-20
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Linux Foundation
Affected software:
Linux kernel
Linux kernel
Detailed vulnerability description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper input validation in xe_vm_madvise_ioctl() when applying a PAT index with XE_COH_NONE to CPU cached memory. A local user can submit a crafted madvise request to disclose sensitive information.
This issue is limited to iGPU configurations, where the GPU can bypass CPU caches and read stale data directly from DRAM from previously freed pages of other processes.
How to mitigate CVE-2026-46309
Install security update from vendor's repository.